The security risks of migrating legacy applications to the cloud [Q&A]
Enterprise use of the public cloud is taking off in a big way and it's estimated that by 2018, half of the applications running in public cloud environments will be considered mission-critical by the organizations that use them.
But migrating legacy applications to the cloud can lead to new security risks as how the application is used and hosted could differ from the original deployment.
We spoke to Drew Kilbourne, Managing Director at application security specialist Cigital to find out more about the risks and how to manage them.
BN: What are the risks of taking legacy applications into a cloud environment?
DK: Organizations should not fear security concerns when considering moving applications to the cloud. But they need to recognize that moving web applications to the cloud does not make them secure. Wherever you run an application, its vulnerabilities will follow and applications will remain a point of attack whether you simply move them to the cloud or make full use of the full range of cloud services. Organizations should embrace the security benefits of the cloud infrastructure and redirect resources to ensure application vulnerabilities are addressed to reduce the associated risks.
If an organization does not follow the basic principles of software security, the risks remain.
At the basic level, organizations should begin by analyzing the cloud platform layer controls and testing applications for vulnerabilities, remediating what is found. If more money is moved to software security, organizations can perform deeper testing, combining static testing (SAST) and dynamic testing (DAST) and code review. Given that 50 percent of application vulnerabilities begin in the architecture level, architecture and design reviews along with threat modeling make for a comprehensive program of removing the risks of web applications. It is entirely possible to bring the security readiness of the application to the security readiness of the cloud.
Responsibility is shared by the cloud service provider and cloud service user – generally, as a customer moves from IaaS to PaaS to SaaS, they give up security control and development/operational flexibility to the CSP. In exchange, the customer gains ease-of-use, ease-of-management, and convenience.
Risks could include, insufficient authentication and authorization, information disclosure, data validation, network, token and session management.
BN: What key factors do businesses need to identify before embarking on migration?
DK: Businesses need to cut through any cloud preconceptions, and encourage cloud decisions based on business requirements. They should develop an enterprise public cloud strategy, including security guidance on acceptable uses for IaaS, PaaS and SaaS and implement and enforce policies on usage responsibility and cloud-risk acceptance processes.
In addition, follow a life cycle governance approach that emphasizes the ongoing operational control of your public cloud use. And develop specific expertise in the security and control of each of the cloud models you will be using (IaaS, PaaS, SaaS).
Major CSPs offer varying degrees of assistance to their customers by providing pre-built security controls to help their customers make the move to the cloud with ease. However, understanding how these controls should be integrated and configured into applications is one of the fundamental security issues organizations need to address. There are experts who have deep knowledge of the particular security controls for all the major CSPs and are ready to assist in securely implementing the appropriate controls for applications.
BN: Can good software design help to reduce the risks?
DK: Yes, understanding and ensuring that the underlying architectural design of your application remains secure is not a trivial task, but can reduce the risks.
This applies whether you are designing an application architecture specifically for the cloud, or evolving the architecture of an application for the cloud, or assessing application architecture already in the cloud.
Good design will address critical areas and identify design flaws such as attack paths used by threat agents to compromise resources in the cloud. Secure architecture also encompasses areas such as containerization, that is, handling sensitive material within containers, and analyzing how authentication and authorization is designed for the management and application plane. It’s also about analyzing the encryption mechanism selected and key management design.
BN: Are there circumstances when the cloud should be avoided?
DK: CIOs and business leaders may fall into the trap of believing that public cloud infrastructure as a service (IaaS) will always be better and less expensive than running their own data centers. Consequently, they may consider migrating existing workloads from their data centers into cloud IaaS, when in reality they gain little benefit from doing so.
Although cloud IaaS -- especially when combined with integrated platform as a service (PaaS) -- often delivers significantly more functionality than internal IT infrastructure, the expense of such higher-quality solutions may not be cost-efficient for organizations that prefer to minimize IT expenditures and that will not benefit from more feature-rich solutions.
BN: What ongoing measures are needed after migration to ensure systems stay safe?
DK: Creating cloud-specific security policies is critical to ensuring that the security posture of your organization remains strong as you scale. Organizations need to implement policies to address areas such as authentication, authorization, logging, key management, encryption (at-rest, in-transit) and configuration/hardening.
A full cloud assessment will help to identify critical areas, such as out-of-date technologies and configurations. This will also include areas such as permissions placed on system files or a web server directory. Proper secure build reviews are great when you have context around what the system is actually designed to accomplish.
As more and more applications are being deployed in cloud, serving all kinds of end points, we have observed a shift of focus from 'securing applications' to 'securing applications fast, at scale'. Cloud-based application security testing answers many of the questions asked by senior personnel across large enterprises and SMBs alike.
Photo Credit: Roland IJdema/Shutterstock